Ask questions. Get answers. Find technical product solutions from passionate experts in the NXLog community.

Log rotation with xm_fileop

Hello,

I have nxlog installed on a server where we collect multiple logging streams, nxlog writes those logs to a flat file that is tailed and sent out to our other solutions. This system was not built for log retention so I need nxlog to clear these log files every hour or potentially based on file size. I setup the xm_fileop module on them and defined each log file path and setup the rotation as pasted below, however the logs grow and are not being cleared. Please take a look and let me know where I may have gone wrong. Thank you.

define OUTPUTFILE0 /opt/nxlog/data/fortifirewall/forti.log define OUTPUTFILE1 /opt/nxlog/data/ciscovpn/ciscovpn.log define OUTPUTFILE2 /opt/nxlog/data/cylance/cylance.log define OUTPUTFILE3 /opt/nxlog/data/gpcvpcflow/gpcvpcflow.log define OUTPUTFILE4 /opt/nxlog/data/infobloxdhcp/infobloxdhcp.log define OUTPUTFILE5 /opt/nxlog/data/juniperips/juniperips.log define OUTPUTFILE6 /opt/nxlog/data/pulsevpn/pulsevpn.log define OUTPUTFILE7 /opt/nxlog/data/tanium/tanium.log define OUTPUTFILE8 /opt/nxlog/data/windhcp/windhcp.log define OUTPUTFILE9 /opt/nxlog/data/windns/windns.log define OUTPUTFILE10 /opt/nxlog/data/winevents/winevents.log

<Extension fileop> Module xm_fileop # Truncate the file every hour <Schedule> Every 1 hour Exec file_truncate('%OUTPUTFILE0%'); Exec file_truncate('%OUTPUTFILE1%'); Exec file_truncate('%OUTPUTFILE2%'); Exec file_truncate('%OUTPUTFILE3%'); Exec file_truncate('%OUTPUTFILE4%'); Exec file_truncate('%OUTPUTFILE5%'); Exec file_truncate('%OUTPUTFILE6%'); Exec file_truncate('%OUTPUTFILE7%'); Exec file_truncate('%OUTPUTFILE8%'); Exec file_truncate('%OUTPUTFILE9%'); Exec file_truncate('%OUTPUTFILE10%'); </Schedule> </Extension>


anthonyweller created
Replies: 3
View post »
last updated
How to check own logs in Nxlog-Manager dashboard in linux platform.

Hi,

I installed nxlog and nxlog-manager for testing my own logs in the dashboard, i am new to nxlog, and can't able to check this in dashboard. could you please tell me how to check logs in dashboard, i didn't find any options in the dashboard menu.

Thanks in advance.


sureshnakkina created
Replies: 3
View post »
last updated
ERROR SSL error, failed to load ca cert from '/opt/nxlog/var/lib/nxlog/cert/agent-ca.pem',

Hi,

I just installed nxlog, when i started i seen the below error in nxlog, how to create this file and all, can you please help me on this.

ERROR SSL error, failed to load ca cert from '/opt/nxlog/var/lib/nxlog/cert/agent-ca.pem', reason: No such file or directory, no such file, system lib

Thanks in advance.


sureshnakkina created
Replies: 3
View post »
last updated
Cannot communicate with database server.

Hi,

Anyone can please help on this issue am facing, i'm new to nxlog and things, am getting error : "Cannot communicate with database server." in the nxlog-manager dashboard page. this is my nxlog.conf file, please correct me if there are mistakes.

User nxlog Group nxlog Panic Soft

default values:

PidFile /opt/nxlog/var/run/nxlog/nxlog.pid

CacheDir /opt/nxlog/var/spool/nxlog

ModuleDir /opt/nxlog/lib/nxlog/modules

SpoolDir /opt/nxlog/var/spool/nxlog

define CERTDIR /opt/nxlog/var/lib/nxlog/cert define CONFDIR /opt/nxlog/var/lib/nxlog

Note that these two lines define constants only; the log file location

is ultimately set by the LogFile directive (see below). The

MYLOGFILE define is also used to rotate the log file automatically

(see the _fileop block).

define LOGDIR /opt/nxlog/var/log/nxlog define MYLOGFILE %LOGDIR%/nxlog.log

By default, LogFile %MYLOGFILE% is set in log4ensics.conf. This

allows the log file location to be modified via NXLog Manager. If you

are not using NXLog Manager, you can instead set LogFile below and

disable the include line.

#LogFile %MYLOGFILE% include %CONFDIR%/log4ensics.conf

<Extension _syslog> Module xm_syslog </Extension>

<Extension json>

Module      xm_json

</Extension>

This block rotates %MYLOGFILE% on a schedule. Note that if LogFile

is changed in log4ensics.conf via NXLog Manager, rotation of the new

file should also be configured there.

<Extension _fileop> Module xm_fileop

# Check the size of our log file hourly, rotate if larger than 5MB
&lt;Schedule&gt;
    Every   1 hour
    &lt;Exec&gt;
        if ( file_exists('%MYLOGFILE%') and
             (file_size('%MYLOGFILE%') &gt;= 5M) )
        {
             file_cycle('%MYLOGFILE%', 8);
        }
    &lt;/Exec&gt;
&lt;/Schedule&gt;

# Rotate our log file every week on Sunday at midnight
&lt;Schedule&gt;
    When    @weekly
    Exec    if file_exists('%MYLOGFILE%') file_cycle('%MYLOGFILE%', 8);
&lt;/Schedule&gt;

</Extension>

<Input in_file> Module im_file File '/opt/nxlog/var/log/testing.txt' SavePos TRUE ReadFromLast TRUE PollInterval 1

Exec $Message = $raw_event;

</Input>

<Output out_tcp> Module om_tcp Host 192.168.x.x Port 9090 </Output>

<Route synot> Path in_file => out_tcp </Route>


sureshnakkina created
Replies: 1
View post »
last updated
Unable to send logs to GrayLog - Multiple Route
Hi Folks, I have following nxlog.conf which works fine. define ROOT C:\Program Files (x86)\nxlog Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log LogLevel INFO Module xm_fileop When @daily Exec file_cycle('%ROOT%\data\nxlog.log', 7); Module pm_buffer Type Mem MaxSize 16384 Module xm_gelf # Avoid truncation of the short_message field to 64 characters. ShortMessageLength 65536 Module xm_multiline HeaderLine /^\d+\/\d\d\/\d\d\d\d+\s\d+:\d\d:\d\d+\s+[A-Z]+/ Module im_file File 'C:\DNSLogs\DNSIN.log' # SavePos TRUE ReadFromLast FALSE InputType multiline Module om_file File 'C:\DNSLogs\DNSOUT.log' #Exec $raw_event = "-------------------------------------\n" + $raw_event; Path filein => process-buffer => fileout Now, I am trying to send the data to our log collector GrayLog & added output & route define ROOT C:\Program Files (x86)\nxlog Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log LogLevel INFO Module xm_fileop When @daily Exec file_cycle('%ROOT%\data\nxlog.log', 7); Module pm_buffer Type Mem MaxSize 16384 Module xm_gelf # Avoid truncation of the short_message field to 64 characters. ShortMessageLength 65536 Module xm_multiline HeaderLine /^\d+\/\d\d\/\d\d\d\d+\s\d+:\d\d:\d\d+\s+[A-Z]+/ Module im_file File 'C:\DNSLogs\MGTDCP03_DN.log' # SavePos TRUE ReadFromLast FALSE InputType multiline Module om_file File 'C:\DNSLogs\MGTDCP03_DNSOUT-2.log' #Exec $raw_event = "-------------------------------------\n" + $raw_event; Path filein => process-buffer => fileout Module om_tcp Host 172.17.1.87 Port 5044 OutputType GELF_TCP $gl2_source_collector = '${sidecar.nodeId}'; $collector_node_id = '${sidecar.nodeName}'; Path filein => process-buffer => gelf However, I start getting error msgs in nxlog.log. I have tried some troubleshooting steps but so far I am not able to get around the problem. Appreciate if you can help me resolve this issue. 2020-05-15 05:43:17 WARNING stopping nxlog service 2020-05-15 05:43:17 WARNING nxlog-ce received a termination request signal, exiting... 2020-05-15 05:43:18 INFO nxlog-ce-2.10.2150 started nxlog failed to start: Couldn't parse Exec block at C:\Program Files\Graylog\sidecar\generated\nxlog.conf:58 couldn't parse statement at line 59, character 67 in C:\Program Files\Graylog\sidecar\generated\nxlog.conf invalid character: ' ' (0xd) 2020-05-15 05:44:17 ERROR Couldn't parse Exec block at C:\Program Files\Graylog\sidecar\generated\nxlog.conf:58; couldn't parse statement at line 59, character 67 in C:\Program Files\Graylog\sidecar\generated\nxlog.conf; invalid character: ';' (0xd) 2020-05-15 05:44:17 WARNING stopping nxlog service 2020-05-15 05:44:17 WARNING nxlog-ce received a termination request signal, exiting... 2020-05-15 05:44:18 ERROR Couldn't parse Exec block at C:\Program Files\Graylog\sidecar\generated\nxlog.conf:58; couldn't parse statement at line 59, character 67 in C:\Program Files\Graylog\sidecar\generated\nxlog.conf; invalid character: ';' (0xd) 2020-05-15 05:44:18 ERROR cannot add processor module 'process-buffer' to route 'to_graylog' because it is already added to route 'parse_multiline', you should define another instance at C:\Program Files\Graylog\sidecar\generated\nxlog.conf:65 2020-05-15 05:44:18 ERROR module 'gelf' has configuration errors, not adding to route 'to_graylog' at C:\Program Files\Graylog\sidecar\generated\nxlog.conf:65 2020-05-15 05:44:18 ERROR route to_graylog is not functional without output modules, ignored at C:\Program Files\Graylog\sidecar\generated\nxlog.conf:65 2020-05-15 05:44:18 WARNING not starting unused module gelf 2020-05-15 05:44:18 INFO nxlog-ce-2.10.2150 started

navdeepsingh83 created
Replies: 1
View post »
last updated
Reading audit.log on Linux

I am trying to read the audit.log on linux. I am using the input noted below; however, I keep receiving this error:

WARNING Module audit has no input files to read

<Input audit> Module im_file File "/var/log/audit/audit.log" </Input>

Can somebody please explain to me what this error means and why I would be receiving it?

Thanks in advance for any help on this!


byron.anderson_atmosera.com created
Replies: 2
View post »
last updated
Community edition TLS version

According to the NXlog user documentation (https://nxlog.co/documentation/nxlog-user-guide-full#introduction) the community edition only supports TLSv1.0. Will it be updated to support TLSv1.2 since 1.0 has known vulnerabilities? And if so when is this planned for?


loza created
Replies: 1
View post »
last updated
Add IP Address to FIM Output

I am testing the FIM module but would like it to not only include the name of the system that the event is coming from but also the IP address. Is there an easy way to have the output for the FIM module include the IP address of the system in the event?


byron.anderson_atmosera.com created
Replies: 1
View post »
last updated
Syslog forwarding , bogus ip adres
We are in the process of ditching solarwinds kiwi syslog because its not performing, and is instable after every .net update. We mostly use syslog as an proxy between the customer network and our own datacenter where the siem is located. One of the things we heavely use is an filter like log received from host x.x.x.x message text contains " modsecurity " then forward the log to our siem but with an bogus ip adres like 127.0.12.1 we use this to split the logs to seperate logsources is such a filter possible with NXLog (community) we want to purchase the software but need to build a poc first what we want to accomplish first, before doing fancy stuff is listen on udp port 514 , forward that logs to an remote syslog server i was thinking it was something simple like : Module xm_syslog Module im_udp Host 0.0.0.0 Port 514 Exec parse_syslog(); Module om_tcp Host 10.202.5.10 Port 530 Exec to_syslog_bsd(); Path in => out, outtcp but that doesn rly do anything

Martijng created
Replies: 1
View post »
last updated
run bash script when ERROR spotted in logs in nxlog
I am trying to run a script every time an error is found in logs Module xm_exec Module im_file File "/home/rafal/gitprojects/mst-sender/hub.cloudradar-error.log" if $raw_event =~ /(\S+)\ (.+) \[ERROR (.+)/ { exec_async("/bin/sh", "/home/rafal/gitprojects/mst-sender/run.sh"); } From the documentation it looks like it should exec async if regex matches but I am seeing only the following log WARNING not starting unused module in and the script is not executed. I don't need to output it, only run that script. I added a route but this aint helping too Module om_null # Basic route Path in => out1 I created another config file as follows just to log a warning but again its not getting executed define ACTION { log_warning("dropping message"); drop(); } Module xm_exec Module im_file File 'D:\mst-sender\hub.cloudradar-error.log' Exec if $raw_event =~ /ERROR/ %ACTION% Module om_null # Basic route Path in => out1 and here is my config file 04/Apr/2020:20:55:33 +0000 [ERROR 0 /hub.cloudradar.php] PHP message: PHP Notice: Indirect modification of overloaded element of Silex\Application has no effect in /var/www/hub/src/app.php on line 96 04/Apr/2020:20:55:33 +0000 [ERROR 0 /hub.cloudradar.php] PHP message: PHP Notice: Indirect modification of overloaded element of Silex\Application has no effect in /var/www/hub/src/app.php on line 96 **UPDATE** I found the problem. It's a silly mistake of mine You need to **make changes** in the log file to see the log lines being parsed.

Rafalf created
Replies: 1
View post »
last updated
Memory issues on NXLog

We have an application that does some multiple updates every morning between 6am and 7am. During this time, it generates massive amounts of log entries. This in turn causes the box to run out of memory, triggering Linux's OOM daemon. Running the NxLog-ce.

I have added

PersistLogqueue TRUE SyncLogqueue TRUE CacheFlushInterval always CacheSync TRUE

To the config, and will see if that makes a difference, but it seems that is more to safeguard messages from being lost.

I have looked at https://nxlog.co/question/802/nxlog-ce-memory-leak and https://nxlog.co/question/4132/cache-disk-works-not-good, but not sure those two are what I am after?


Wernervdmerwe created
Replies: 4
View post »
last updated
Accessing nested JSON values in the config

Can't find this in the documentation and it seems like it should be fairly obvious, so apologies if this is a dumb question. Given the below JSON, if I perform parse_json($raw_event) with Flatten set to the default value of FALSE, how do I access the $header.time_seconds_epoch value, or any other nested value within the config? If Flatten is set to TRUE, then $header.time_seconds_epoch has the expected value in it, but with it set to FALSE, $header.time_seconds_epoch is NULL.

{ "event_severity": 0, "header": {"event_name": "test", "time_seconds_epoch": 1588267608},"host_info": {"host_name": "test"}}


gportnoy created
NXLog language selection error?

I have a scenario, where NXLog (CE) collects log events on Windows Server 2012R2 using im_msvistalog and sends messages to a syslog server. The system has a rather unconventional language and locale setting: The location and locale are german (germany), but the language preference is set to English (US). All software installed / running generates GUI and messages in english, as expected.

However, NXLog / im_msvistalog doesen't seem to decide output language based on language preference but on local formats setting instead and therefore sends the messages in german.

I suppose this is a bug, as NXLog (CE) is the only software presenting anything in english on those systems. Or is there anything I can do to correct that?


Dirk created
Replies: 1
View post »
last updated
Converting LEEF to CEF

I need a way to convert a message from an Incoming LEEF payload to outgoing CEF format. When I have tried to use parse_leef; and use to_cef(); I appear to get the right format but my payload contains the following format:

Apr 29 06:55:03 x.x.x.x LEEF:1.0|CEF|....

Obviously I need the LEEF field removed and the CEF field in its place. The parse at the other end doesn't know what do to with this formatting.


kmschramm created
Replies: 1
View post »
last updated
IETF Timestamp Format

Hi,

Im trying to change the IETF timestamp format (number of precision). I have used to_syslog_ietf to create the formatted log message. Is anyone know how can we change the time from 6 decimal to 3 or no decimal precision)?

Sample Logs - (Current timestamp with 6 decimal) 2012-01-01T17:15:52.873750+08:00 myhost - - - [NXLOG@14506 TestField="test value"] test message

Required (timestamp with 3 decimal or no decimal) 2012-01-01T17:15:52.000+08:00 myhost - - - [NXLOG@14506 TestField="test value"] test message

Thanks.


md22 created
Replies: 1
View post »
last updated
Need help in Configuring nxlog running on Windows to send DNS Analytical logs

Hello,

Are there any links or discussion related to how nxlog will be configured, so a Windows server can send DNS Analytical logs to a remote collector.

Thank you. Any direction is much appreciated.

Temy


tomolte created
Replies: 1
View post »
last updated
windows to syslog to splunk using json
Hello, we are working on centralizing logging onto a syslog-ng server and using nxlog for the windows part of the infrastructure. We are using the IP of the sender to route the message to the correct file on the syslog server and I am trying to force nxlog to use the host's IP instead of it's name in the syslog header without much success. The end goal is to forward everything (Windows, Linux, Network) to syslog-ng and from there to Splunk using the Splunk Forwarder on the syslog server. For Windows I am using the to_json() function on the part of the message so that the logs are parsed automatically on the splunk side. There are 3 different QueryXML so as to assign different severity/facility to the messages and, again, route the messages to the correct file on the syslog server. I have tried both to_syslog_bsd() and to syslog_ietf(). For the "old" BSD format I am unable to force the IP in the syslog header when I use IETF format, the IP is correctly used but I then end up with a huge header and data (time, source, ..) being repeated several times which is not efficient BSD format: Apr 27 14:38:45 WIN-0KNG645FE0L Microsoft-Windows-Security-Auditing[628]: {"EventTime":"2020-04-27 14:38:45","Hostname":"10.10.231.53","Keywords":-9214364837600034816,"EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":4672,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":0,"Task":12548,"OpcodeValue":0,"RecordNumber":22998,"ActivityID":"{9B9FF64D-1C66-0003-EBF6-9F9B661CD601}","ProcessID":628,"ThreadID":692,"Channel":"Security","Category":"Special Logon","Opcode":"Info","SubjectUserSid":"S-1-5-18","SubjectUserName":"SYSTEM","SubjectDomainName":"NT AUTHORITY","SubjectLogonId":"0x3e7","PrivilegeList":"SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege","EventReceivedTime":"2020-04-27 14:38:47","SourceModuleName":"in_sec","SourceModuleType":"im_msvistalog","SyslogFacilityValue":17,"SyslogSeverityValue":2} IETF format: Apr 27 13:39:38 10.10.231.53 1 2020-04-27T13:39:36.528628+02:00 WIN-0KNG645FE0L Microsoft-Windows-Security-Auditing 628 - [NXLOG@14506 Keywords="-9214364837600034816" EventType="AUDIT_SUCCESS" EventID="5379" ProviderGuid="{54849625-5478-4994-A5BA-3E3B0328C30D}" Version="0" Task="13824" OpcodeValue="0" RecordNumber="22664" ActivityID="{9B9FF64D-1C66-0003-EBF6-9F9B661CD601}" ThreadID="1580" Channel="Security" Category="User Account Management" Opcode="Info" SubjectUserSid="S-1-5-21-4288340226-4165896404-4155820673-500" SubjectUserName="Administrator" SubjectDomainName="WIN-0KNG645FE0L" SubjectLogonId="0x53ac84" TargetName="ServerManager*" Type="0" CountOfCredentialsReturned="0" ReadOperation="%%8100" ReturnCode="3221226021" ProcessCreationTime="2020-04-27T11:39:34.659068400Z" ClientProcessId="2716" EventReceivedTime="2020-04-27 13:39:38" SourceModuleName="in_sec" SourceModuleType="im_msvistalog"] {"EventTime":"2020-04-27 13:39:36","Hostname":"10.10.231.53","Keywords":-9214364837600034816,"EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":5379,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","Version":0,"Task":13824,"OpcodeValue":0,"RecordNumber":22664,"ActivityID":"{9B9FF64D-1C66-0003-EBF6-9F9B661CD601}","ProcessID":628,"ThreadID":1580,"Channel":"Security","Category":"User Account Management","Opcode":"Info","SubjectUserSid":"S-1-5-21-4288340226-4165896404-4155820673-500","SubjectUserName":"Administrator","SubjectDomainName":"WIN-0KNG645FE0L","SubjectLogonId":"0x53ac84","TargetName":"ServerManager*","Type":"0","CountOfCredentialsReturned":"0","ReadOperation":"%%8100","ReturnCode":"3221226021","ProcessCreationTime":"2020-04-27T11:39:34.659068400Z","ClientProcessId":"2716","EventReceivedTime":"2020-04-27 13:39:38","SourceModuleName":"in_sec","SourceModuleType":"im_msvistalog","SyslogFacilityValue":17,"SyslogSeverityValue":2} - BSD format seems preferred as it make for smaller messages - Sending over TCP so as to not loose some of the largest messages Edit: - NXLog nxlog-ce-2.10.2150 - Windows 2019 nxlog.conf define ROOT C:\Program Files (x86)\nxlog Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log Module xm_syslog Module xm_json Module im_internal Module im_msvistalog * $SyslogFacilityValue = syslog_facility_value("local1"); $SyslogSeverityValue = syslog_severity_value("emerg"); # $Message = to_json(); # $raw_event = to_json(); # to_syslog_bsd(); Module im_msvistalog * $SyslogFacilityValue = syslog_facility_value("local1"); $SyslogSeverityValue = syslog_severity_value("alert"); # $Message = to_json(); # to_syslog_bsd(); Module im_msvistalog * $SyslogFacilityValue = syslog_facility_value("local1"); $SyslogSeverityValue = syslog_severity_value("crit"); # $Hostname = host_ip(); # parse_syslog(); # $Message = to_json(); # to_syslog_bsd(); delete($Message); Module om_tcp Host 10.10.231.11 port 514 $Hostname = host_ip(); # parse_syslog(); # log_info($raw_event); $Message = to_json(); $Message =~ s/\\[r|n|t]/ /g; # to_syslog_ietf(); to_syslog_bsd(); $raw_event =~ s/\s{2,}/ /g; Path in_sys, in_app, in_sec => syslog-srv

vguyard created
Replies: 1
View post »
last updated
im_file configuration - use wildcard chars in path

HI,

Is there any solution to use wildcard chars in the path in the file input setting?

I have these folders: /path/to/logs/t-01test/log/app.log /path/to/logs/t-02apple/log/app_20200427.log /path/to/logs/t-03horse/log/app.log /path/to/logs/t-04table/log/app.log

I used this input settings:

<Input in_app> Module im_file File "/path/to/logs/t-/log/app.log" SavePos TRUE InputType LineBased </Input>

I always get the ERROR failed to open directory: /path/to/logs/t-*/logs: No such file or directory

I used this setting before: <Input in_app> Module im_file File "/path/to/logs/app.log" SavePos TRUE InputType LineBased </Input>

This is working correctly but we have added some folders under the /path/to/logs/t-01test/ where the nxlog user cant read for security reasons. The nxlog log is full with errors because of enough rights: ERROR failed to open directory: path/to/logs/t-01test/conf: Permission denied

Is it allowed to use wildcards in the path?

Thanks!


Zola created
Replies: 2
View post »
last updated
ERROR apr_file_write failed in om_exec on windows os when try to send logs to Azure Log Analytics
Hello, I'm trying configure NXlog CE (installed on windows server 2012r2) to collect syslog (from cisco asa), saving it to file and send to Azure Log Analytics (aka Microsoft OMS). In first step I try to collect syslog, convert to json and saving it to file. It's work well. For the next i installed last Pyton (3.8) and check that all libs installed. After that I changed the nxlog.conf according to the manual (https://nxlog.co/documentation/nxlog-user-guide/azure-oms.html#forwarding-data-to-log-analytics). Buy NXlog gives me the following error: `ERROR apr_file_write failed in om_exec; The pipe is being closed.` How can I fix this error? My nxlog.conf: Panic Soft #NoFreeOnExit TRUE define ROOT C:\Program Files (x86)\nxlog define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf define LOGDIR %ROOT%\data define LOGFILE %LOGDIR%\nxlog.log define JSONLOGFILE C:\Program Files (x86)\nxlog\data\json.txt LogFile %LOGFILE% Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data Module xm_syslog Module xm_charconv AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32 Module xm_exec Module xm_fileop # Check the size of our log file hourly, rotate if larger than 5MB Every 1 hour Exec if (file_exists('%LOGFILE%') and \ (file_size('%LOGFILE%') >= 5M)) \ file_cycle('%LOGFILE%', 8); # Rotate our log file every week on Sunday at midnight When @weekly Exec if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8); Module xm_json Module im_udp Port 514 Host 192.168.1.2 Exec parse_syslog(); to_json(); Module om_file File '%JSONLOGFILE%' Module om_exec Command "C:\\Users\\user\\AppData\\Local\\Programs\\Python\\Launcher\\py.exe" Arg "C:\Program Files (x86)\nxlog\oms-pipe.py" Path udp => file, azure_oms My configuration is different from the example in manual in the "Output azure_oms" part. If use this part as in the manual an error appears: Module om_exec Command oms-pipe.py Exec to_json(); Error: `ERROR couldn't execute process oms-pipe.py; The system cannot find the file specified. ` Please help me fix this error.

Anton.I created
Replies: 1
View post »
last updated
sending time with milliseconds to graylog

I have been using nxlog-ce-2.9.1716 to send logs in graylog. In graylog timestemp is without milliseconds. For parsing string to date I use such code if ( $raw_event =~ /^(\d{4}-\d\d-\d\d\s\d{1,2}:\d{1,2}:\d{1,2},\d{1,3})\s[\d+]\s(\S+)\s+\s+(.*)/ ) { $EventTime = parsedate($1); $EventTime = parsedate(strftime($EventTime, '%Y-%m-%d %H:%M:%SZ'));
} In this case I lost milliseconds. How can I use parsedate() method with milliseconds and converting time to UTC?


spodius created
Replies: 1
View post »
last updated